Lookout discovers hundreds of Android app-based crypto mining scams

Endpoint-to-cloud security company, Lookout, has discovered major crypto mining scams using hundreds of Android apps. Categorised into two distinct Android app families, BitScam and CloudScam, the apps arew designed to target people interested in cryptocurrencies.

In total, security researchers at the Lookout Threat Lab identified more than 170 apps that are estimated to have scammed more than 93,000 victims. The majority of these apps are side-loaded (not via Google Play) although 25 were available for download on the Google Play app store. Lookout has been in close contact with Google and the apps on Play have been removed.

The BitScam and CloudScam apps advertise themselves as providing cloud cryptocurrency mining services for a fee. After analysing the apps, Lookout researchers found that no cloud crypto mining actually takes place. The scammers pocket the money spent on apps and upgrades without ever delivering the promised services. Lookout estimated that the apps stole more than $350,000 from their victims.

BitScam and CloudScam apps both trick people into thinking they are paying for cloud crypto mining services. In addition to the apps themselves costing money, they promote additional services and upgrades that users can purchase within the apps, either by transferring cryptocurrencies to the developers’ wallets or through Google Play. These apps also display fake minimum account balances to entice users to spend more money on the services and upgrades.

While the BitScam and CloudScam crypto mining apps have now been removed from Google Play, there are dozens more available for download on third-party app stores.

These apps were able to fly under the radar because they don’t actually do anything malicious. They are simply shells set up to attract users caught up in the cryptocurrency craze and collect money for services that don’t exist. Purchasing goods or services online always requires a certain degree of trust — these scams prove that cryptocurrency is no exception.

Ioannis Gasparis, mobile application security researcher, Lookout